# [−][src]Module curve25519_dalek::montgomery

Scalar multiplication on the Montgomery form of Curve25519.

To avoid notational confusion with the Edwards code, we use variables \( u, v \) for the Montgomery curve, so that “Montgomery \(u\)” here corresponds to “Montgomery \(x\)” elsewhere.

Montgomery arithmetic works not on the curve itself, but on the
\(u\)-line, which discards sign information and unifies the curve
and its quadratic twist. See *Montgomery curves and their
arithmetic* by Costello and Smith for more details.

The `MontgomeryPoint`

struct contains the affine \(u\)-coordinate
\(u_0(P)\) of a point \(P\) on either the curve or the twist.
Here the map \(u_0 : \mathcal M \rightarrow \mathbb F_p \) is
defined by \(u_0((u,v)) = u\); \(u_0(\mathcal O) = 0\). See
section 5.4 of Costello-Smith for more details.

# Scalar Multiplication

Scalar multiplication on `MontgomeryPoint`

s is provided by the `*`

operator, which implements the Montgomery ladder.

# Edwards Conversion

The \(2\)-to-\(1\) map from the Edwards model to the Montgomery
\(u\)-line is provided by `EdwardsPoint::to_montgomery()`

.

To lift a `MontgomeryPoint`

to an `EdwardsPoint`

, use
`MontgomeryPoint::to_edwards()`

, which takes a sign parameter.
This function rejects `MontgomeryPoints`

which correspond to points
on the twist.

## Structs

MontgomeryPoint | Holds the \(u\)-coordinate of a point on the Montgomery form of Curve25519 or its twist. |